2 - Pre-Engagement

Penetration Test: Pre-Engagement Template

Penetration Test: Pre-Engagement Template

1. Project Metadata

  • Client Name: [Client Name]
  • Project Name: [Project Name / Engagement Title]
  • Date Created: [YYYY-MM-DD]
  • Start Date: [YYYY-MM-DD]
  • End Date: [YYYY-MM-DD]

Key Personnel

  • Primary Client Contact: [Name, Title, Email, Phone]
  • Secondary Client Contact: [Name, Title, Email, Phone]
  • Technical Support Contact: [Name, Title, Email, Phone]
  • Signatory Authority: [Name, Title]
  • Lead Penetration Tester: [Your Name]

2. Master Document Checklist

  • 1. Non-Disclosure Agreement (NDA)

    • Status: [Pending | Signed]
    • Notes:

  • 2. Scoping Questionnaire

    • Status: [Sent | Received | Reviewed]
    • Notes:

  • 3. Scoping Document

    • Status: [Drafting | Finalized]
    • Notes:

  • 4. Penetration Testing Proposal (Contract/SoW)

    • Status: [Drafting | Sent | Signed]
    • Notes:

  • 5. Rules of Engagement (RoE)

    • Status: [Drafting | Finalized | Signed]
    • Notes:

  • 6. Contractors Agreement (Physical Assessments)

    • Status: [N/A | Required | Signed]
    • Notes:

  • 7. Reports

    • Status: [In Progress | Delivered]
    • Notes:

3. Scoping Questionnaire

Assessment Type(s) Required

  • Internal Vulnerability Assessment
  • External Vulnerability Assessment
  • Internal Penetration Test
  • External Penetration Test
  • Wireless Security Assessment
  • Application Security Assessment
  • Physical Security Assessment
  • Social Engineering Assessment
  • Red Team Assessment
  • Web Application Security Assessment

Notes on specific requirements (e.g., black box, evasiveness, vishing):

Critical Scoping Information

  • How many expected live hosts?

    Answer:

  • How many IPs/CIDR ranges in scope?

    Answer:

  • How many Domains/Subdomains are in scope?

    Answer:

  • How many wireless SSIDs in scope?

    Answer:

  • How many web/mobile applications? Authenticated roles?

    Answer:

  • For phishing: how many users targeted? List provided?

    Answer:

  • For physical assessment: how many locations? Geographically dispersed?

    Answer:

  • Objective of the Red Team Assessment? Out of scope activities?

    Answer:

  • Is a separate Active Directory Security Assessment desired?

    Answer:

  • Will network testing be anonymous or as a standard domain user?

    Answer:

  • Do we need to bypass Network Access Control (NAC)?

    Answer:

Information Disclosure & Evasiveness

  • Information Disclosure Level:

    • Black Box (no information provided)
    • Grey Box (IPs/URLs provided)
    • White Box (detailed information provided)

  • Evasiveness Level:

    • Non-Evasive
    • Hybrid-Evasive (start quiet, get louder)
    • Fully Evasive

4. Contract / Scope of Work (SoW) Checklist

  • NDA:

    • A secrecy contract between the client and contractor.
    • Notes:

  • Goals:

    • High-level and fine-grained milestones to be achieved.
    • Notes:

  • Scope:

    • Individual components to be tested (domains, IPs, specific accounts).
    • Notes:

  • Penetration Testing Type:

    • The chosen type of test (e.g., Internal, External, Web App).
    • Notes:

  • Methodologies:

    • Examples: OSSTMM, OWASP, PTES.
    • Notes:

  • Penetration Testing Locations:

    • External (Remote via VPN) and/or Internal.
    • Notes:

  • Time Estimation:

    • Start and end dates for the entire engagement and for specific phases (Exploitation, Post-Ex). Testing hours (during/after business hours).
    • Notes:

  • Third Parties:

    • Any cloud providers, ISPs, or hosting providers involved. Written consent must be obtained from them by the client.
    • Notes:

  • Evasive Testing:

    • Clarify if techniques to evade security systems are in scope.
    • Notes:

  • Risks:

    • Inform the client of potential risks (e.g., system instability, locked accounts).
    • Notes:

  • Scope Limitations & Restrictions:

    • Which servers, workstations, or network components are critical and must be avoided.
    • Notes:

  • Information Handling:

    • Compliance requirements (e.g., HIPAA, PCI, NIST).
    • Notes:

  • Contact Information:

    • A full list of contacts and an escalation priority order.
    • Notes:

  • Lines of Communication:

    • E-mail, phone calls, personal meetings.
    • Notes:

  • Reporting:

    • Structure of the report, customer-specific requirements, and presentation plans.
    • Notes:

  • Payment Terms:

    • Prices and terms of payment.
    • Notes:

5. Rules of Engagement (RoE) Checklist

  • Introduction: Description of the RoE document.
  • Contractor: Company name, key contacts.
  • Penetration Testers: Names of testers.
  • Contact Information: Full contact details for all parties.
  • Purpose: Purpose of the penetration test.
  • Goals: Goals to be achieved.
  • Scope: All IPs, domains, URLs, CIDR ranges.
  • Lines of Communication: E-mail, phone, etc.
  • Time Estimation: Start and end dates.
  • Time of the Day to Test: Specific testing hours.
  • Penetration Testing Type: The specific type of test.
  • Penetration Testing Locations: How the connection to the client network is established.
  • Methodologies: OSSTMM, PTES, OWASP, etc.
  • Objectives / Flags: Specific users, files, or information to target.
  • Evidence Handling: Encryption and secure protocols for handling evidence.
  • System Backups: Acknowledgment of client’s backup procedures.
  • Information Handling: Strong data encryption requirements.
  • Incident Handling and Reporting: Process for emergency contact and test interruptions.
  • Status Meetings: Frequency, dates, times, and attendees.
  • Reporting: Type, target readers, and focus of the final report.
  • Retesting: Start and end dates for retesting patched vulnerabilities.
  • Disclaimers and Limitation of Liability: System damage, data loss.
  • Permission to Test: Confirmation of signed contract.

6. Kick-Off Meeting Agenda

  • Attendees:
    • [List of Client POCs]
    • [List of Client Technical Staff]
    • [List of Pentesting Team Members]
  • Agenda Items:
    • Review nature and scope of the penetration test.
    • Confirm Rules of Engagement (RoE).
    • Define “Critical Vulnerability” and the process for immediate notification (e.g., for unauthenticated RCE).
    • Discuss potential risks (log entries, alarms, accidental account lockouts).
    • Explain the full penetration testing process in a clear, non-technical way.
    • Confirm client’s goals and priorities.
    • Open floor for Q&A.

7. Physical Assessment Addendum

  • Introduction
  • Contractor
  • Purpose
  • Goal
  • Penetration Testers
  • Contact Information
  • Physical Addresses
  • Building Name
  • Floors
  • Physical Room Identifications
  • Physical Components
  • Timeline
  • Notarization
  • Permission to Test (“Get Out of Jail Free Card”)

Pre-Engagement

Baseline Tracking of Technological Assets

Diagrams.net: https://app.diagrams.net/

  • DNS records, network device backups, and DHCP configurations
  • Full and current application inventory
  • A list of all enterprise hosts and their location
  • Users who have elevated permissions
  • A list of any dual-homed hosts (2+ network interfaces)
  • Keeping a visual network diagram of your environment

People, Processes, and Technology

Processes

  • Proper policies and procedures for asset monitoring and management
    • Host audits, the use of asset tags, and periodic asset inventories can help ensure hosts are not lost
  • Access control policies (user account provisioning/de-provisioning), multi-factor authentication mechanisms
  • Processes for provisioning and decommissioning hosts (i.e., baseline security hardening guideline, gold images)
  • Change management processes to formally document who did what and when they did it

Perimeter First

  • What exactly are we protecting?
  • What are the most valuable assets the organization owns that need securing?
  • What can be considered the perimeter of our network?
  • What devices & services can be accessed from the Internet? (Public-facing)
  • How can we detect & prevent when an attacker is attempting an attack?
  • How can we make sure the right person &/or team receives alerts as soon as something isn’t right?
  • Who on our team is responsible for monitoring alerts and any actions our technical controls flag as potentially malicious?
  • Do we have any external trusts with outside partners?
  • What types of authentication mechanisms are we using?
  • Do we require Out-of-Band (OOB) management for our infrastructure. If so, who has access permissions?
  • Do we have a Disaster Recovery plan?

Internal Considerations

  • Are any hosts that require exposure to the internet properly hardened and placed in a DMZ network?
  • Are we using Intrusion Detection and Prevention systems within our environment?
  • How are our networks configured? Are different teams confined to their own network segments?
  • Do we have separate networks for production and management networks?
  • How are we tracking approved employees who have remote access to admin/management networks?
  • How are we correlating the data we are receiving from our infrastructure defenses and end-points?
  • Are we utilizing host-based IDS, IPS, and event logs?

3rd Parties Infrastructure

Sensitive Data Regulations